"guix lint -c cve" does not account for language prefixes (rust-,python-,go-,..)

  • Open
  • quality assurance status badge
Details
3 participants
  • Léo Le Bouter
  • Ludovic Courtès
  • zimoun
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal

Debbugs page

L
L
Léo Le Bouter wrote on 16 Mar 2021 02:29
(address . bug-guix@gnu.org)
706d51950b7545eefd43a54f738bc82df0d7f36c.camel@zaclys.net
./pre-inst-env guix lint -c cve python-urllib3@1.26.2
Here this should return at least CVE-2021-28363 but it does not because
the CVE database contains urllib3 and not python-urllib3 (which AFAICT
the cve linter searches for).

Annotating each and every python-, go-, and rust- package with cpe-name
properties is going to be very annoying. I suggest we add some
heuristics that try both the full name and prefix-trimmed name. python-
urllib3's cpe name and vendor is python (vendor) urllib3 (name).

Same story for CVE-2021-28305 and rust-diesel, though it doesnt even
have a CPE entry yet.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQeocACgkQRaix6GvN
EKYwbRAAvxOJo9PUoxYyYGmQHbp+QgOBwdzrPBLxZs/rCRiyOW5pf8//By8pIKFR
ux0nKH92TNB3pLyWuAvwd+IvEGBeaAgFAPjXHhHkRoY/ywCdAam5BaBWmigdYd5P
qcAc9CDJTjHrZTU43SG5NbXN/9xxeGrePLEs12PDN4nYUf+7G5qdYEEuaxn/pCTn
T/+2gL2734IvnAOvWLMwcevi1v+brnrJDuC3s2jJxfCV4NCeAcBfyEDtqgiR5R4t
Ci46fjiVn4IbHfeMKB0gT3cs3xdeEsThaBFfB1Bd8MLy61PD/2ihHkmxWjm06FrT
ojjwUydPa5/VwEIfUJJRiLmb2EyhJRAyTaJRBkQNQsTmipd3kz8uQVPEsgIa0u0W
dDcUPtCoDn3f9QLmZSUAZ3RbHsR/PaeXkidGv26Gwk2un7ctwlY9vM4oo5LbUS4F
X6Ljr5xUAbh3VzD5bfnHfCaImIahXK5m/Jsmd+C78ubwcU0DszWwqY571jq3Vg8j
9IPFNH7DMtg+ffEkqUUTZgMVAP8Xdm4KAvca2Ra7XqzxaHQphmofE0YgFFw36lod
+Hdyg95hp8KRPnlhfU6EYopoMTdZwyOyFEHG08TS4GC7WKR+UOpZ4j19WDNMEt6Z
uyKeHI9kcoJaIQ1genGKkv0BtAE18Fz1XWSgybsks4OSU0Ow8zA=
=j6lI
-----END PGP SIGNATURE-----


Z
Z
zimoun wrote on 16 Mar 2021 06:05
Re: bug#47188: "guix lint -c cve" does not account for language prefixes (rust-, python-, go-, ..)
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47188@debbugs.gnu.org)
CAJ3okZ2yHtxtbi0vhskAJCCWT_NkQuOUnLof9cm7MRDwpeAkug@mail.gmail.com
Hi,

On Tue, 16 Mar 2021 at 10:30, Léo Le Bouter via Bug reports for GNU
Guix <bug-guix@gnu.org> wrote:

Toggle quote (5 lines)
> ./pre-inst-env guix lint -c cve python-urllib3@1.26.2
> Here this should return at least CVE-2021-28363 but it does not because
> the CVE database contains urllib3 and not python-urllib3 (which AFAICT
> the cve linter searches for).

Does the CVE use the upstream name? Or a normalized name?

I mean, in the R world, packages can have names as 'org.EcK12.eg.db'
which becomes "r-org-eck12-eg-db". To easy the mapping for updating
and co, the package definition contains:

(properties
`((upstream-name . "org.EcK12.eg.db")))

Maybe, it could be worth to have similar things. WDYT?


All the best,
simon
L
L
Ludovic Courtès wrote on 18 Mar 2021 06:26
Re: bug#47188: "guix lint -c cve" does not account for language prefixes (rust-,python-,go-,..)
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47188@debbugs.gnu.org)
87a6r0r3t1.fsf@gnu.org
Hi,

Léo Le Bouter <lle-bout@zaclys.net> skribis:

Toggle quote (13 lines)
> ./pre-inst-env guix lint -c cve python-urllib3@1.26.2
> Here this should return at least CVE-2021-28363 but it does not because
> the CVE database contains urllib3 and not python-urllib3 (which AFAICT
> the cve linter searches for).
>
> Annotating each and every python-, go-, and rust- package with cpe-name
> properties is going to be very annoying. I suggest we add some
> heuristics that try both the full name and prefix-trimmed name. python-
> urllib3's cpe name and vendor is python (vendor) urllib3 (name).
>
> Same story for CVE-2021-28305 and rust-diesel, though it doesnt even
> have a CPE entry yet.

Yes, that’s an issue. We can address these by adding a ‘cpe-name’
property (info "(guix) Invoking guix lint"), but that’s going to be
tedious. We can at least add it to high-profile packages for now.

Tooling that suggests or deduces the CPE name would help a lot:


Ludo’.
L
L
Ludovic Courtès wrote on 18 Mar 2021 06:38
control message for bug #47188
(address . control@debbugs.gnu.org)
877dm4ponv.fsf@gnu.org
tags 47188 + security
quit
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 47188@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47188
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch